---

dear hacker friends out there,

i'm a webmaster of a small homepage, and on this site i also have a
password protected area. i have made a small javascript for this and
now i would like to know how 'save' it actually is. i know that you
can't make a real 'secure' thing with javascript, but there are also
quite big differences between the various available password scripts,
and what i have tried here is to find a quite simple solution to make
a 'secure' as possible javascript.

under the following link you can find a test page with an example of
my script, and i really would appreciate if anybody could take a look
at it or maybe try to hack it.


http://www.nrg.to/yuluka/test.html



many thanks in advance,

nate


ps: you can send me responses under the email address on the test
page.

---

liquimba wrote:

> under the following link you can find a test page with an example of
> my script, and i really would appreciate if anybody could take a look
> at it or maybe try to hack it.
>
> http://www.nrg.to/yuluka/test.html

Why ? Your page is:

http://www.nrg.to/yuluka/hidden/hidden.html

--
Benny

---

Benny Nissen wrote:
> liquimba wrote:
>
>> under the following link you can find a test page with an example of
>> my script, and i really would appreciate if anybody could take a look
>> at it or maybe try to hack it.
>>
>> http://www.nrg.to/yuluka/test.html
>
>
> Why ? Your page is:
>
> http://www.nrg.to/yuluka/hidden/hidden.html
>

b.t.w.:

function verify()
{
checkname = document.pass.passname.value
checkpass = document.pass.password.value
fullpass = checkname + " " + checkpass //Überprüfung des Namen und PW
marker = false

users = 2 //Anzahl der User
userlist = new Array
userlist[0] = "43253244gdf6468864 4saddad543455654ggsaw323g" //1
userlist[1] = "g868gfdaqef85366376fddfs2
765a66569gfdrooip987ahgn32fg12a" //2


for (i = 0; i < users; i++){
if (fullpass == userlist[i]){
opener.location = "hidden/hidden.html" //Geheime Seite
marker = true
}
}
if (marker == true){
window.close()
}
else {alert("Invalid Password or Name!")
}
}

---

liquimba wrote:
> dear hacker friends out there,
> http://www.nrg.to/yuluka/test.html

If you want an unbreakable javascript login, use this:

<form name="user" action="#" onsubmit="location.href = this.code1.value +
'/' + this.code2.value + '.htm'; return false">
<p><input type="text" size="15" name="code1">&nbsp;User name</p>
<p><input type="password" size="15" name="code2">&nbsp;Password</p>
<p><input type="submit" value="Let me in" onclick="location.href =
this.form.code1.value + '/' + this.form.code2.value + '.html'; return
false"></p>
</form>

Let the 'user name' be the name of the directory and the password be the
name of the file (without extension). Don't use ordinairy words for the
login.

No hints are visible in the scripts. With 8 characters in 'user name' and
another 8 characters in the password, it will give you 2,251,875,390,625
times 2 combinations.

Good luck.

--
Yours
Erik Ginnerskov
http://hjemmesideskolen.dk - http://html-faq.dk
http://ginnerskov.frac.dk/

---

On Tue, 5 Apr 2005 18:15:51 +0200, "Erik Ginnerskov"
<erik@donotspammmeplease.invalid> wrote:

>Let the 'user name' be the name of the directory and the password be the
>name of the file (without extension). Don't use ordinairy words for the
>login.

Well, if the hidden file is placed on an ordinary webhosting server
with other customers running php, the hidden file could easily be
found (even under safe_mode- and open_basedir-restriction).

The following could be used in almost all cases - just change the
value of $otherdir :

<?php
$otherdir = "/etc";
print_r(glob("{{$_SERVER['DOCUMENT_ROOT']},$otherdir}/*",GLOB_BRACE));
?>

Amazingly, the PHP developers don't think this code has any security
impact... (furthermore, the same seems to be the case at most web
hosting companies)

--
- Peter Brodersen